0

To authenticated with DynamoDB we use IAM roles - our persistence is in a different AWS Service Account to compute - however on developer machines running DynamoDB-local containers we override the behaviour with environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), for which we also provide a custom endpoint resolver.

We see jitter when credentials expire: I believe this is because fresh IAM tokens are being obtained by the SDK only after expiry, they are not pre-authenticated prior to expiry.

I would like to hook into the default GoLang credentials.Provider chain to pre-cache valid credentials ahead of expiry to reduce expired token refresh time. The docs talk about about different providers, but it isn't clear to me how I can use the existing chain/behaviour and just replace the token refresh with a goroutine to rotate credentials ahead of expiry.

Can this be done, or do I need to provide a complete custom chain? I'd like to avoid this if at all possible because the environment variables in aws-sdk-go-v2/[email protected]/env_config.go are mostly private.

Improve this question

1 Answer 1

Reset to default
0

There are load options for lazy-refresh prior to expiry, although this won't be used if the system is quiet (meaning test environments won't benefit from this if they have been left to go cold):

    
    optFns := []func(options *awsconfig.LoadOptions) error {
        awsconfig.WithBearerAuthTokenCacheOptions(func(options *bearer.TokenCacheOptions) {
            options.RefreshBeforeExpires = 90 * time.Second
            options.RetrieveBearerTokenTimeout = 5 * time.Second
            options.AsyncRefreshMinimumDelay = 100 * time.Millisecond
        }),
        awsconfig.WithCredentialsCacheOptions(func(options *aws.CredentialsCacheOptions) {
            options.ExpiryWindow = 30 * time.Second
            options.ExpiryWindowJitterFrac = 0.5
        })

    dynamodb.NewFromConfig(cfg, optFns...)
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.